Skip to main content

Update on the initial infection vector of the Petya ransomware campaign

This is an example of where a lack of patching and continued use of out-dated protocols presents a significant risk to organisational IT security.

From reports and analysis performed to date, this version of the ransomware appears to have been delivered via a malicious software update for My Electronic Document (M.E.Doc), which is accounting software used by Ukrainian-based companies. It appears that almost all affected organisations can be linked back to Ukraine either through direct or indirect connections. While only a relatively small number of organisations have been impacted globally, for those affected the impact has been severe.

Some of the initial confusion regarding delivery mechanisms was caused by the public reporting of companies which have networks located within Ukraine. The propagation mechanism allowed the malware to spread via the corporate network to offices in other countries, where the incidents were publicly reported.

Once devices are infected, the ransomware collects credentials and leverages publicly-known vulnerabilities in Microsoft Windows as well as common administrative tools for lateral movement. Microsoft published patches to mitigate these vulnerabilities in March 2017.

It is important to note that this is an example of where a lack of patching and continued use of out-dated protocols presents a significant risk to organisational IT security.

The ACSC's recommendations have not changed and are available below.

Update on the impact of the Petya ransomware campaign

We are aware of media reports regarding three allegedly affected companies in Australia and have reached out to offer assistance. CERT Australia has made contact with all of these organisations.

We are aware of media reports regarding three allegedly affected companies in Australia and have reached out to offer assistance. CERT Australia has made contact with all of these organisations.

Reporting from the international CERT community indicates that only a relatively small number of victims have been impacted globally.

However, many of the affected organisations are large multinational companies, and the impact to them has been severe, with the effects being seen in multiple countries.